Tim's Technology Journey Wiki

User Tools

Site Tools

Trace: ch3
cisco:books:ccnp_300-730:ch3:001

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
cisco:books:ccnp_300-730:ch3:001 [2025/08/31 14:59] Namecisco:books:ccnp_300-730:ch3:001 [2025/08/31 17:54] (current) Name
Line 16: Line 16:
 <code>en <code>en
 conf t conf t
 +no ip domain lookup
 hostname r1-hub hostname r1-hub
 line con 0 line con 0
 +history size 256
 logg syn logg syn
 exec-timeout 0 0 exec-timeout 0 0
Line 26: Line 28:
  ip address 1.1.1.1 255.255.255.255  ip address 1.1.1.1 255.255.255.255
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  shutdown  shutdown
  ip address 12.1.1.1 255.255.255.0  ip address 12.1.1.1 255.255.255.0
Line 63: Line 65:
  match address castle-acl  match address castle-acl
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  crypto map svpn-map  crypto map svpn-map
  no shutdown  no shutdown
Line 73: Line 75:
 <code>en <code>en
 conf t conf t
 +no ip domain lookup
 hostname r2-spoke hostname r2-spoke
 line con 0 line con 0
 +history size 256
 logg syn logg syn
 exec-timeout 0 0 exec-timeout 0 0
Line 83: Line 87:
  ip address 2.2.2.2 255.255.255.255  ip address 2.2.2.2 255.255.255.255
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  shutdown  shutdown
  ip address 12.1.1.2 255.255.255.0  ip address 12.1.1.2 255.255.255.0
Line 120: Line 124:
  match address castle-acl  match address castle-acl
 ! !
-interface Ethernet0/0+interface GigabitEthernet1
  crypto map svpn-map  crypto map svpn-map
  no shutdown  no shutdown
Line 135: Line 139:
   * The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause.   * The ping should fail for this initial configuration. Now the steps will be detailed to isolate the root cause.
  
 +<code>r1-hub#show crypto ikev2 sa
 +r1-hub#</code>
 +  * Nothing returned. The neighbor is missing. The next step is to check the CEF table on the hub.
 +<code>r1-hub#show ip cef 12.1.1.2
 +12.1.1.2/32
 +  attached to GigabitEthernet1</code>
 +  * The hub's CEF table has the correct entry. This tells us that layers 1-3 are correct. If you want, you can view the ARP table to confirm.
 +<code>r1-hub#show ip arp 12.1.1.2
 +Protocol  Address          Age (min)  Hardware Addr   Type   Interface
 +Internet  12.1.1.2                9   5000.0004.0000  ARPA   GigabitEthernet1</code>
 +  * A packet capture on the hub's interface (or spoke) will reveal that their are no ESP packets being exchanged.
 +  * The following packet capture is taken when trying to ping the spoke from the hub.
 +{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture.png?900 |Lab-001-IKEv2-Capture}}
 +  * Notice the absent of the ESP packets from [[:cisco:books:ccnp_300-730:ch3:000|Lab 000]].
 +  * Turn on debugging to examine the packet flows.
 +<code>r1-hub#debug crypto ikev2
 +IKEv2 default debugging is on</code>
 +  * Now ping the spoke again.
 +<code>r1-hub#ping 12.1.1.2
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
  
 +*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
 +*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
 +*Aug 31 15:17:56.833: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
 +*Aug 31 15:17:56.833: IKEv2:Found Policy 'svpn-policy'
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
 +*Aug 31 15:17:56.833: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
 +*Aug 31 15:17:56.833: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
 +Num. transforms: 4
 +   AES-CBC   SHA512   SHA512   DH_GROUP_2048_MODP/Group 14 
  
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 0000000000000000 Message id: 0
 +IKEv2 IKE_SA_INIT Exchange REQUEST 
 +Payload contents: 
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 
  
 +*Aug 31 15:17:56.833: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA 
  
 +*Aug 31 15:17:56.859: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 0
 +IKEv2 IKE_SA_INIT Exchange RESPONSE 
 +Payload contents: 
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 
  
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
 +*Aug 31 15:17:56.860: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
 +*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
 +*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
 +*Aug 31 15:17:56.884: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
 +*Aug 31 15:17:56.884: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5
 +*Aug 31 15:17:56.884: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
 +*Aug 31 15:17:56.884: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address'
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
 +Num. transforms: 3
 +   AES-CBC   SHA512   Don't use ESN
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
 +Payload contents: 
 + VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 
  
 +*Aug 31 15:17:56.885: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1
 +IKEv2 IKE_AUTH Exchange REQUEST 
 +Payload contents: 
 + ENCR 
 + 
 +
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 1
 +IKEv2 IKE_AUTH Exchange RESPONSE 
 +Payload contents: 
 + VID IDr AUTH NOTIFY(TS_UNACCEPTABLE) 
 +
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
 +*Aug 31 15:17:56.891: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address'
 +*Aug 31 15:17:56.891: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
 +*Aug 31 15:17:56.891: IKEv2:Found Policy 'svpn-policy'
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5
 +*Aug 31 15:17:56.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
 +*Aug 31 15:17:56.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP
 +*Aug 31 15:17:56.891: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x45BE1F9C]
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
 +Payload contents: 
 + DELETE
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window 
 +
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2
 +IKEv2 INFORMATIONAL Exchange REQUEST 
 +Payload contents: 
 + ENCR 
 +
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0x6DE15BF054EB9486 RSPI: 0x281E8E3CD1936670]
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
 +Payload contents: 
 + DELETE
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
 +*Aug 31 15:17:56.891: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs 
 +
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 2
 +IKEv2 INFORMATIONAL Exchange RESPONSE 
 +Payload contents: 
 + 
 +
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs 
 +
 +*Aug 31 15:17:56.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3
 +IKEv2 INFORMATIONAL Exchange REQUEST 
 +Payload contents: 
 + ENCR 
 + 
 +
 +*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : 6DE15BF054EB9486 - Responder SPI : 281E8E3CD1936670 Message id: 3
 +IKEv2 INFORMATIONAL Exchange RESPONSE 
 +Payload contents: 
 + 
 +
 +*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
 +*Aug 31 15:17:56.893: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA.....
 +Success rate is 0 percent (0/5)
 +r1-hub#
 +*Aug 31 15:18:26.837: IKEv2:% Getting preshared key from profile keyring lion-key
 +*Aug 31 15:18:26.838: IKEv2:% Matched peer block 'peer-remote'
 +*Aug 31 15:18:26.838: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
 +*Aug 31 15:18:26.838: IKEv2:Found Policy 'svpn-policy'
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH public key, DH Group 14
 +*Aug 31 15:18:26.838: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH key
 +*Aug 31 15:18:26.838: IKEv2:IKEv2 initiator - no config data to send in IKE_SA_INIT exch
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_SA_INIT message
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):IKE Proposal: 1, SPI size: 0 (initial negotiation), 
 +Num. transforms: 4
 +   AES-CBC   SHA512   SHA512   DH_GROUP_2048_MODP/Group 14 
 +
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 0000000000000000 Message id: 0
 +IKEv2 IKE_SA_INIT Exchange REQUEST 
 +Payload contents: 
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 
 +
 +*Aug 31 15:18:26.838: IKEv2:(SESSION ID = 1,SA ID = 1):Insert SA 
 +
 +*Aug 31 15:18:26.865: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 0
 +IKEv2 IKE_SA_INIT Exchange RESPONSE 
 +Payload contents: 
 + SA KE N VID VID VID VID NOTIFY(NAT_DETECTION_SOURCE_IP) NOTIFY(NAT_DETECTION_DESTINATION_IP) 
 +
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Verify SA init message
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Processing IKE_SA_INIT message
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):Checking NAT discovery
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):NAT not found
 +*Aug 31 15:18:26.866: IKEv2:(SESSION ID = 1,SA ID = 1):[IKEv2 -> Crypto Engine] Computing DH secret key, DH Group 14
 +*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] DH key Computation PASSED
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Request queued for computation of DH secret
 +*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[IKEv2 -> Crypto Engine] Calculate SKEYSEED and create rekeyed IKEv2 SA
 +*Aug 31 15:18:26.891: IKEv2:(SA ID = 1):[Crypto Engine -> IKEv2] SKEYSEED calculation and creation of rekeyed IKEv2 SA PASSED
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Completed SA init exchange
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generate my authentication data
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.1, key len 5
 +*Aug 31 15:18:26.891: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
 +*Aug 31 15:18:26.891: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Get my authentication method
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):My authentication method is 'PSK'
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Generating IKE_AUTH message
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Constructing IDi payload: '12.1.1.1' of type 'IPv4 address'
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
 +Num. transforms: 3
 +   AES-CBC   SHA512   Don't use ESN
 +*Aug 31 15:18:26.891: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
 +Payload contents: 
 + VID IDi AUTH SA TSi TSr NOTIFY(INITIAL_CONTACT) NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 
 +
 +*Aug 31 15:18:26.892: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1
 +IKEv2 IKE_AUTH Exchange REQUEST 
 +Payload contents: 
 + ENCR 
 + 
 +
 +*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 1
 +IKEv2 IKE_AUTH Exchange RESPONSE 
 +Payload contents: 
 + VID IDr AUTH NOTIFY(TS_UNACCEPTABLE) 
 +
 +*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Process auth response notify
 +*Aug 31 15:18:26.898: IKEv2-ERROR:(SESSION ID = 1,SA ID = 1):
 +*Aug 31 15:18:26.898: IKEv2:(SESSION ID = 1,SA ID = 1):Searching policy based on peer's identity '12.1.1.2' of type 'IPv4 address'
 +*Aug 31 15:18:26.899: IKEv2:Searching Policy with fvrf 0, local address 12.1.1.1
 +*Aug 31 15:18:26.899: IKEv2:Found Policy 'svpn-policy'
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's policy
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's policy verified
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's authentication method
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Peer's authentication method is 'PSK'
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Get peer's preshared key for 12.1.1.2
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verify peer's authentication data
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Use preshared key for id 12.1.1.2, key len 5
 +*Aug 31 15:18:26.899: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
 +*Aug 31 15:18:26.899: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Verification of peer's authenctication data PASSED
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for EAP exchange
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Session with IKE ID PAIR (12.1.1.2, 12.1.1.1) is UP
 +*Aug 31 15:18:26.899: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking for duplicate IKEv2 SA
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):No duplicate IKEv2 SA found
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Queuing IKE SA delete request reason: unknown
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IPsec SA [SPI: 0x99324D76]
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
 +Payload contents: 
 + DELETE
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window 
 +
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2
 +IKEv2 INFORMATIONAL Exchange REQUEST 
 +Payload contents: 
 + ENCR 
 +
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Sending DELETE INFO message for IKEv2 SA [ISPI: 0xC93696F08692939D RSPI: 0x417A337996780CD8]
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Building packet for encryption.  
 +Payload contents: 
 + DELETE
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Checking if request will fit in peer window
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing active SA
 +*Aug 31 15:18:26.899: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs 
 +
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 2
 +IKEv2 INFORMATIONAL Exchange RESPONSE 
 +Payload contents: 
 + 
 +
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Check for existing IPSEC SA
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Delete all IKE SAs 
 +
 +*Aug 31 15:18:26.901: IKEv2:(SESSION ID = 1,SA ID = 1):Sending Packet [To 12.1.1.2:500/From 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3
 +IKEv2 INFORMATIONAL Exchange REQUEST 
 +Payload contents: 
 + ENCR 
 + 
 +
 +r1-hub#
 +*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Received Packet [From 12.1.1.2:500/To 12.1.1.1:500/VRF i0:f0] 
 +Initiator SPI : C93696F08692939D - Responder SPI : 417A337996780CD8 Message id: 3
 +IKEv2 INFORMATIONAL Exchange RESPONSE 
 +Payload contents: 
 + 
 +
 +*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Processing ACK to informational exchange
 +*Aug 31 15:18:26.902: IKEv2:(SESSION ID = 1,SA ID = 1):Deleting SA</code>
 +  * Scroll the top where the IKEv2 is retrieving its configuration.
 +<code>*Aug 31 15:17:56.832: IKEv2:% Getting preshared key from profile keyring lion-key
 +*Aug 31 15:17:56.833: IKEv2:% Matched peer block 'peer-remote'
 +{Output omitted.}</code>
 +  * Notice how the output keeps deleting the SA, then rebuilding the SA to send again. Turn on debugging on the spoke and try to ping the hub.
 +<code>r2-spoke#debug crypto ikev2   
 +IKEv2 default debugging is on
 +r2-spoke#ping 12.1.1.1</code>
 +  * The spoke is not generating the same style output as the hub. Lets verify the crypto configuration on the interface first.
 +<code>r2-spoke#show run int g1
 +Building configuration...
 +
 +Current configuration : 138 bytes
 +!
 +interface GigabitEthernet1
 + ip address 12.1.1.2 255.255.255.0
 + negotiation auto
 + no mop enabled
 + no mop sysid
 + crypto map svpn-map
 +end</code>
 +  * The interface configuration looks correct. Next is to verify the crypto configuration and double-check the mapping.
 +<code>r2-spoke#show run | s crypto
 +! Ignore the PKI cert info at the top.
 +crypto ikev2 proposal rook-proposal 
 + encryption aes-cbc-256
 + integrity sha512
 + group 14
 +crypto ikev2 policy svpn-policy 
 + proposal rook-proposal
 +crypto ikev2 keyring lion-key
 + peer peer-remote
 +  address 12.1.1.1
 +  pre-shared-key cisco
 + !
 +crypto ikev2 profile side-profile
 + match identity remote address 12.1.1.1 255.255.255.255 
 + authentication remote pre-share
 + authentication local pre-share
 + keyring local lion-key
 +crypto ipsec transform-set tset esp-aes esp-sha512-hmac 
 + mode tunnel
 +crypto map svpn-map 10 ipsec-isakmp 
 + set peer 12.1.1.1
 + set transform-set tset 
 + set pfs group14
 + set ikev2-profile side-profile
 + match address castle-acl</code>
 +  * The **crypto map svpn-map** does match. Reading through Chapter 3, as referenced above, concludes that the crypto configuration is correct. Lets look at the access-list the crypto map is referencing.
 +<code>r2-spoke#show run | s access-list extended castle-acl
 +ip access-list extended castle-acl
 + permit ip host 12.1.1.1 host 12.1.1.2<code>
 +  * At first glance, it seems the ACL is correct, but the permit line is subtly backwards. Flip the hosts around and test again.
 +  * The next step is for demonstration purposes to show what happens when the access-list in-use is attempted to be edited.
 +<code>2-spoke#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +r2-spoke(config)#ip access-list extended castle-acl
 +r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
 +%ACL castle-acl can not be modified/deleted, as it is used in crypto-map svpn-map
 +%Please first remove the ACL from crypto map or remove the crypto map from the interface</code>
 +  * This is the correct procedure to migrate the ACL entry to the end.
 +<code>r2-spoke#conf t
 +Enter configuration commands, one per line.  End with CNTL/Z.
 +r2-spoke(config)#int g1 
 +r2-spoke(config-if)#no crypto map
 +r2-spoke(config-if)#
 +*Aug 31 17:23:37.223: (ipsec_license_release) IPSEC License handle release failed (55)
 +r2-spoke(config-if)#
 +*Aug 31 17:23:37.323: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
 +r2-spoke(config-if)#ip access-list extended castle-acl
 +r2-spoke(config-ext-nacl)#no  10 permit ip host 12.1.1.1 host 12.1.1.2
 +r2-spoke(config-ext-nacl)#10 permit ip host 12.1.1.2 host 12.1.1.1</code>
 +  * Verify the ACL is correct.
 +<code>r2-spoke(config-if)#do show run | s access-list extended castle-acl
 +ip access-list extended castle-acl
 + 10 permit ip host 12.1.1.2 host 12.1.1.1</code> 
 +  * The ACL is now correct. Next, add the crypto map back on the interface.
 +<code>r2-spoke(config-ext-nacl)#int g1
 +r2-spoke(config-if)# crypto map svpn-map</code>
 +  * Turn debugging off on the hub and spoke.
 +<code>r1-hub#u all
 +All possible debugging has been turned off</code>
 +<code>r2-spoke#u all
 +All possible debugging has been turned off</code>
 +  * Test with a ping again from either the hub or spoke.
 +<code>r1-hub#ping 12.1.1.2
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 12.1.1.2, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms</code>
 +<code>r2-spoke#ping 12.1.1.1
 +Type escape sequence to abort.
 +Sending 5, 100-byte ICMP Echos to 12.1.1.1, timeout is 2 seconds:
 +!!!!!
 +Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms</code>
 +  * Success. Verify the crypto sa.
 +<code>r1-hub#show crypto ikev2 sa 
 + IPv4 Crypto IKEv2  SA 
  
 +Tunnel-id Local                 Remote                fvrf/ivrf            Status 
 +1         12.1.1.1/500          12.1.1.2/500          none/none            READY  
 +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK
 +      Life/Active Time: 86400/276 sec</code>
 +<code>r2-spoke#show crypto ikev2 sa
 + IPv4 Crypto IKEv2  SA 
  
-  * Packet Capture on r1-hub e0/0 interface+Tunnel-id Local                 Remote                fvrf/ivrf            Status  
-{{ :cisco:books:ccnp_300-730:ch3:000:Lab-000-IKEv2-Overview.png?900 |Lab-001-Overview}}\\ +1         12.1.1.2/500          12.1.1.1/500          none/none            READY   
 +      Encr: AES-CBC, keysize: 256, PRF: SHA512, Hash: SHA512, DH Grp:14, Auth sign: PSK, Auth verify: PSK 
 +      Life/Active Time: 86400/313 sec</code> 
 +  * One last check with Wireshark while pinging
 +{{ :cisco:books:ccnp_300-730:ch3:001:Lab-001-IKEv2-Capture2.png?900 |Lab-001-IKEv2-Capture2}}\\ 
  
  
cisco/books/ccnp_300-730/ch3/001.1756652378.txt.gz · Last modified: by Name

Page Tools

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki